In light of past and recent posts from mubix (one, two) and jcran, I thought I'd post the hack I used to connect to then run Metasploit post-exploitation modules across several thousand machines. I still need to go through them all and merge them, but I thought I'd throw my hat in the ring. Thank to mubix for his help on the job with some of it.

On a pentest with a massive internal network, we managed to
get access to 22k machines as local admin using a local account (verified with ncrack).
Obvious domain priv esc routes were shut down, so it was time to extend our control and information. I wanted hashes, cached domain creds and available tokens from
each of these. So I put together the following metasploit massploitation
script. The main difference between this and the other solutions posted, is that my box fell over with several thousand meterpreter sessions open, so I wanted a way to automate connecting & pulling the info without needed all the sessions to be open at once.

Essentially, there are three parts:

The massploitation.rc, this is the script run in the console (capturing the output is a good idea)

The targets file which has a list of targets, one per line

The extract.rc that is run within each meterpreter session by the massploitation script. You can change this to what you need.

The stuff isn’t perfect, as there is a race condition where sometimes
it tries to execute the meterpreter script before the meterpreter
session is ready. Other than the delay, I’ll need to spend some time to
understand metasploit’s threading.

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.Enter the string from the spam-prevention image above: